Comodo Security's root authority system was compromised by attackers logging in and issuing digital certificates to popular Websites belonging to Microsoft, Google, Yahoo, Skype and Mozilla.
A Comodo
Security partner was compromised and attackers issued valid
digital
certificates for popular Websites that would have potentially allowed them
to spoof content and perform man-in-the-middle attacks, Microsoft warned.
The nine
fraudulent Web certificates affected seven domains, including Microsoft Live
service, Google's mail system, Yahoo and Skype, Microsoft said in a
March 23
security advisory. There are no active attacks at this time, according to
Bruce Cowper, group manager of trustworthy computing at Microsoft.
Comodo has
revoked these certificates, and the malicious certificates are listed in
Comodo's current Certificate Revocation List, according to Comodo. No Web
browser should be accepting the incorrect certificates at this time, Comodo
said.
The
perpetrators would have been able to spoof content, perform phishing attacks or
perform man-in-the-middle attacks only if they had control of the Domain Name System
infrastructure as well, Comodo said.
The attacker
obtained the user name and password of a Comodo trusted partner in Southern
Europe who was authorized to perform primary validation of certificate
requests,
Comodo
wrote on its blog. The attacker used the stolen credentials to log in to
the Comodo RA (root authority) account, and issued those certificates on March
15, according to the post.
"The attacker
was well-prepared and knew in advance what he was to try to achieve. He seemed
to have a list of targets that he knew he wanted to obtain certificates for,
was able quickly to generate the CSRs (certificate signing requests) for these
certificates and submit the orders to our system so that the certificates would
be produced and made available to him," Comodo said.
The attacker
was still using the account when the breach was identified and the account
suspended, possibly preventing more certificates from being issued, Comodo
said. Remediation efforts began "immediately," and additional audits and
controls have been deployed.
Comodo
declined to specify details regarding controls that were implemented.
Comodo root
keys, intermediate CAs or secure hardware were not compromised, Comodo said.
The attacker created a new user account, which has also been suspended.
Comodo said
the attack originated from an IP address assigned to an Internet service
provider in Iran. One certificate for Yahoo's login page was tested using a
server in Iran, but had already been revoked and was blocked from being used,
according to
Comodo's
incident report.
The server in
question has stopped responding to requests. The IP address and server
information may be circumstantial evidence as the attacker could have been
attempting to lay a false trail, Comodo said. However, the company also noted
that the Iranian government has recently attacked other encrypted methods of
communication.
Unlike a
typical cyber-criminal, who would have targeted financial organizations, this
particular attacker focused on communications infrastructure. The targeted
domains would be of "greatest use" to a government attempting surveillance of
Internet use by dissidents, especially considering the recent turmoil in North
Africa and the Persian Gulf region, Comodo said.
Comodo
believes this was likely a state-driven attack. This is the first time Comodo
is seeing a "state funded" attack against the "authentication" infrastructure,
said Melih Abdulhayoglu, CEO and chief security architect of Comodo.
Comodo is "not
yet clear" about the nature of the partner's data breach other than the fact
that the partner's other online accounts were also compromised, he said.
Users who have
enabled Online Certificate Status Protocol on their Web browsers will
interactively validate these certificates and block them from being used.
Comodo has monitored the OCSP responder traffic and has not detected any
attempts to use the certificates after they were revoked, according to the
incident report.
The
certificates were issued for "Global Trustee" as well as for the following URLs:
login.live.com, mail.google.com,
google.com,
login.skype.com and addons.mozzila.org. There were three certificates
issued for login.yahoo.com, as well. Only one of the certificates for Yahoo was
seen live on the Internet, according to the incident report. Comodo is not sure
if the attackers received all the requested certificates in the first place.
Microsoft has
developed a mitigation update, which is available through the Microsoft
Download Center and the Windows Update Service. Customers can download the
update to help protect against inadvertent use of the fraudulent digital
certificates, said Microsoft's Cowper.
Email
Print
